/dropwizard

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix #953 Possible reflective cross site scripting in ConstraintViolations #1001

Merged
merged 1 commit into from Apr 25, 2015

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
  0.9.0
5 participants
@WarFox @piefel @carlo-rtr @joschi @arteam
@WarFox

WarFox commented Apr 19, 2015

  • ConstraintViolations should not print the invalid value as it may cause reflective-cross-site scripting issue
  • Fixed all unit tests that expect the (was {invalidValue}) in the violation message.
Deepu Mohan Puthrote
fix #953 Possible reflective cross site scripting in ConstraintViolation 
* ConstraintViolation should not print the invalid value as it may cause reflective-cross-site scripting issue
* Fixed all unit tests that expect the (was {invalidValue}) in the violation message.
9dabfaa

@WarFox WarFox referenced this pull request Apr 21, 2015

Closed

Possible reflective cross site scripting in the io.dropwizard.validation.ConstraintViolations #953

@piefel

This comment has been minimized.

Sign in to view

piefel commented Apr 21, 2015

Since the format() call is also used for the trace logging in JacksonMessageBodyProvider where printing the invalid value is harmless but helpful, I wonder whether there couldn’t be a second format function that would exhibit the classic behaviour.
@carlo-rtr

This comment has been minimized.

Sign in to view
Member

carlo-rtr commented Apr 24, 2015

I think we should add a debug log with the invalid value, so it can be debugged on the server side.

I think this would also address @piefel concern without having to maintain a flag or separate methods.

@joschi you commented on #892 which is related, what do you think about this?

@joschi joschi added this to the 0.9.0 milestone Apr 25, 2015

@joschi

This comment has been minimized.

Sign in to view
Member

joschi commented Apr 25, 2015

I'm all for it. Let's just remove the original, tainted input from the error messages.

joschi added a commit that referenced this pull request Apr 25, 2015

@joschi
Merge pull request #1001 from WarFox/fix/dropwizard-953 
Possible reflective cross site scripting in ConstraintViolation

Fixes #953
fe53b65

@joschi joschi merged commit fe53b65 into dropwizard:master Apr 25, 2015

@WarFox

This comment has been minimized.

Sign in to view

WarFox commented Apr 25, 2015

I agree with @carlo-rtr about the debug logs, that could be of help to some projects.

Should we add the debug logs?

@arteam arteam added the bug label Apr 26, 2015

@carlo-rtr

This comment has been minimized.

Sign in to view
Member

carlo-rtr commented Apr 27, 2015

I think so :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment